Flame Cyber ‘Super-Weapon’ Caught Firing On Iran

Flame may be the most sophisticated cyber weapon ever seen. Thanks to Iran, fingers are already pointed at nation states

A worm considered to be more complex than Stuxnet has been spotted attacking Iranian infrastructure, and it “might be the most sophisticated cyber weapon yet unleashed”.

The Flame (also known as sKyWIper and Flamer) malware has already caused shockwaves across the security community, with Kaspersky Lab expert Alexander Gostev calling it “one of the most complex threats ever discovered.”

“It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage,” Gostev said in a blog post.

Kaspersky said it believed a nation state was running Flame, as it was not being used to steal funds, nor was it a typical tool for hacktivists such as Anonymous to use.

Iran is the main target, with 189 infections. The second-most infected area is Israel/Palestine on 98. Machines in Hungary, Lebanon, Austria, Russia, Hong Kong and the United Arab Emirates have also been hit as well. It appears there are thousands of victims worldwide, including academic bodies, private businesses and specific individuals.

Flaming heck…

Flame has worm capabilities, as it is able to replicate on both local networks and on removable devices, if it is commanded to do so. It can also look at network traffic, take screenshots when “interesting” applications like instant messaging apps are running, record audio conversations from an infected PC’s microphone and do some keylogging. Further functionality can be added via plug-ins whenever the attackers want.

One of the most idiosyncratic things about Flame is the inclusion of a virtual machine written in LUA. This language can interact easily with C++, which is what much of Flame is written in. “Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame,” Gostev said.

It even has Bluetooth capabilities, as it is able to pick up on signals as well as turn the infected system’s Bluetooth on.

All information is relayed back to the attackers running the command and control servers over a covert SSL channel. these C&C servers are scattered across the world.

“One of the most significant things is the size of the development, it is huge,” Kaspersky’s chief malware expert Vitaly Kamluk told TechWeekEurope. “It may take up to a year to do a complete analysis. The architecture of this thing is much more complicated than Stuxnet.

“In terms of the amount of functional code it is probably one of the biggest. Here we have 20MB of functional code so it can be triggered by the operator, which makes it significant.”

Despite the difference in weight between Flame and Stuxnet, as well as its presumed data-stealing sister Duqu, and the fact that the former was not created on the “Tilded” platform as the other two were, Kaspersky pointed to some similarities between them.

“There are … some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project – such as use of the ‘autorun.inf’ infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet’s authors,” Gostev added.

“On the other hand, we can’t exclude that the current variants of Flame were developed after the discovery of Stuxnet. It’s possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame.”

Flame also uses the printer vulnerability MS10-061 exploited by Stuxnet to spread across local networks. It is known to have infected fully-patched Windows 7 systems through the network, Kaspersky said.

Yet the end goals of the two malware powerhouses differ. “Whilst Stuxnet was a worm targeting industrial control systems, this thing is more similar to Duqu, which was produced by the developers of Stuxnet,” Kamluk said.

“It is used as a cyber espionage tool.”

A nation state to blame?

The malware was spotted by a variety of agencies and security firms. Kaspersky was called into help after the UN’s International Telecommunication Union found an unknown piece of malware was deleting sensitive information across the Middle East.

The Iranian Computer Emergency Response Team (MAHER) said earlier today it had found Flame, saying it bore a “close relation” to Stuxnet, and that it was bypassing all the 43 anti-virus solutions it had tested. It claimed a removal tool was ready to be delivered, whilst a detector has already been sent out to certain organisations.

The Budapest-based Laboratory of Cryptography and System Security (CrySyS Lab) has also been investigating Flame, which it calls sKyWIper, saying it was arguably “the most complex malware ever found.”

Whilst Kaspersky said it was likely Flame was created around 2010, CrySyS Lab said it has potentially been running for five years or more, as one of its drivers was spotted on 5 December 2007.

“The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities,” the CrySyS Lab report added.

When Stuxnet hit in 2010, it was considered the most sophisticated piece of malware ever seen, as it could exploit four zero-day vulnerabilities. It seems the security community now has a fresh piece of malware to rule them all.

Small and midmarket organizations depend on their data as much as large enterprises depend on theirs—but the right tools for protecting a smaller organization’s data are not enterprise tools with reduced feature sets and price tags. Organizations of all sizes need to understand their exposure caused by mediocre protection, and then utilize “right-sized” technologies that […]

Shifting SMB IT and Storage Requirements This report describes how the HP Simply StoreIT program and HP MSA Storage can help small and midsized businesses (SMBs) reduce costs and improve operations by quickly and easily adding storage that is optimized for server virtualization to their IT infrastructure deployments.

You are likely faced with both increasingly demanding users and increasingly complex infrastructure requirements. At the same time, you are probably being asked to reduce IT costs without the help of added headcount. Are there times when this feels like an impossible mission?

The advent of the Internet has resulted in an ever-expanding data ecosystem. Unfortunately, this has also led to an increase in data breaches and identity theft. While attackers are still motivated by crime (to gain money), politics (to gain power and influence), and espionage (to gain market advantage), they also want to steal your information […]

Creating powerful cyber weapons is grossly irresponsible and is no better than real world terrorists, maybe worse if the cyber weapon hit vital control systems such as a dam, nuclear system or even a humble traffic control systems lives can be lost.

Cyber weapons need to be internationally outlawed in the way chemical and biological weapons are.

The world is becoming very dangerous unless people’s attitude of fanaticism greed selfishness and being vicious change and adopt tolerance non-violence and kindness to all people whatever their beliefs appearance or style of living.